With many Canadian businesses having made the transition to working remotely (either partially or fully) in response to COVID-19, information security has never been more critical. CWB’s Chief Information Security Officer Cory Gould offers businesses the following advice and best practices to keep their data and assets safe in a work-from-home environment.
Be aware of suspicious emails
E-mail phishing remains the tried-and-true method that hackers use to exploit unsuspecting targets. Fraudsters send emails with malicious files or links that, when downloaded or clicked, can compromise a user or business. “They’re much more effective when they leverage world events like COVID-19 to convince us that an email is legitimate,” says Gould, adding the method has become more sophisticated. “We’re seeing a trend towards personalized messages, which is much more effective in tricking people to download malicious attachments or follow links.”
Opportunistic hackers are posing as someone the target knows and trusts, perhaps another business owner or colleague, in an effort to gain access to passwords or accounts. And as legitimate directions are sent through email now more than ever, hackers are taking advantage. “Once compromised, they masquerade as the owner of the email account and instruct staff to redirect funds, pay invoices or execute bank wire transactions to an unusual bank account,” explains Gould.
To combat this, he stresses one word: caution. “We need to be cautious with the instructions we receive, following up and validating before we act, especially when they concern moving money,” he says, advising that even if something seems only a little bit off, it’s best to let people know.
Best practices to stay safe
Always remember, sound information security starts with you.
“First and foremost, trust your gut,” Gould Cory emphasizes. “If something doesn’t seem right, ask.” He offers the following safeguards that business owners and individuals alike can enact while moving to largely digital work processes.
- Set up notifications and triggers when actions occur in your online bank account. These can prompt you when a new payment is made or a new credit card is registered. (CWB Pro Tip: Find this feature in ‘Messages and Alerts’ in the left-hand navigation bar of CWBdirect Online Banking).
- If multiple people in your organization make payments and manage cash flow, use unique identities in your payment systems. “If you have a dozen staff in your company for accounts payables, make sure each person has a unique identity,” says Gould.
- Be alert to terms or language a sender might not normally use. “Pay attention to the norms,” advises Gould. Your customers likely use familiar language and give consistent instructions, so if anything feels off in their email communication, trust your instincts and validate the message with a colleague or superior.
- Use multi-factor authentication whenever possible. Adding the complexity of a randomly generated token for accessing your email or social media accounts significantly bolsters security. Consider cloud services like Office 365 or Google’s suite of business apps.
- Make sure all of your business systems are patched and updated, and use anti-malware software on all your devices.
- Don’t repeat your passwords “It’s a very common mistake to use the same password for Facebook as you would for your online bank account,” says Gould. “Separate your social behaviours from your business transactions online.”
What your employees should know about working from home
Moving to a remote working environment can take some adjusting, but there are simple steps a business can take to help their employees maintain information security while at home.
- A ‘clean desk policy’ is easy to implement in any home office. “When you’re working with private, confidential information in a new environment, you have to remember to practice extra caution,” says Gould. “If you print stuff out, shred it. Use business email addresses and not personal email addresses. If you save a file, make sure it’s not on your personal desktop. Always think twice about downloading and sending information, especially if you have multiple people in the home using the same devices or networks.”
- Use business-issued devices rather than personal ones for your business actions where possible. “This keeps your business and home activities separate, and provides less opportunity for misuse of data from a malicious outside source or an internal accident,” says Gould.
- Use due diligence when you’re considering the tools to transition to remote work and how you manage your work and personal devices. For example, if you want to move your business into a cloud or hosted model, identify the key data and services you want to transfer. If you’re not sure how these systems work, seek professional and legal advice as there are multiple elements to consider, including data ownership, access and other legal factors.
“By moving to online services and remote work arrangements, you’re not deferring your risk — the business you conduct in an online fashion is still yours to own,” says Gould “You’re obligated to your customers and staff to do this correctly. Seek out professional and legal advice if something is unfamiliar or particularly sensitive.”
Want more information on cybersecurity? The Canadian Centre for Cyber Security posts alerts and advisories, telework security tips, and tools and services to help protect you as a business owner and an individual.